Probe SixProbe Six|Documentation

OWASP Top 10 for LLM Applications

The OWASP Top 10 for Large Language Model Applications is published by the Open Worldwide Application Security Project (OWASP), the same organisation behind the widely adopted OWASP Top 10 for web applications. The LLM-specific list identifies the ten most critical security vulnerabilities in applications that integrate large language models.

First published in 2023 and revised in 2025, the list reflects the rapidly evolving threat landscape for LLM applications including prompt injection, data leakage, supply chain compromise, and the unique risks of agentic AI systems with tool access. It has become the de facto standard for LLM security assessment and is referenced by regulators, auditors, and security teams worldwide.

Probe Six maps 146 automated security plugins across all 10 OWASP LLM categories, with 69 governance assessment questions covering organisational controls that cannot be tested at runtime. Every finding in a Probe Six report includes OWASP category references, making it straightforward to report on compliance posture.

The Ten Categories

LLM01: Prompt Injection

Manipulating LLM behaviour through crafted inputs that override system instructions, either directly via user prompts or indirectly via external content ingested by the model.

LLM02: Sensitive Information Disclosure

LLMs inadvertently revealing confidential data, PII, credentials, or proprietary information through their responses, either from training data or connected systems.

LLM03: Supply Chain Vulnerabilities

Risks from compromised components in the AI supply chain including poisoned training data, manipulated pre-trained models, and vulnerable third-party packages.

LLM04: Data and Model Poisoning

Attacks that corrupt training data or model weights to introduce backdoors, biases, or degraded performance that persist after deployment.

LLM05: Improper Output Handling

Failures to validate, sanitise, or encode LLM outputs before passing them to downstream systems, leading to XSS, SQL injection, command execution, and other injection vulnerabilities.

LLM06: Excessive Agency

LLM agents granted too many permissions, functions, or autonomy, allowing them to take unintended actions including data access, system modification, or external communication beyond their intended scope.

LLM07: System Prompt Leakage

Extraction of system prompts that contain proprietary logic, security rules, or sensitive configuration through direct or multi-turn conversational attacks.

LLM08: Vector and Embedding Weaknesses

Vulnerabilities in RAG pipelines and vector databases including poisoned embeddings, cross-tenant data leakage, and retrieval manipulation attacks.

LLM09: Misinformation

LLMs generating false, misleading, or harmful content including hallucinated facts, fabricated citations, biased outputs, and unsafe professional advice.

LLM10: Unbounded Consumption

Attacks that exhaust computational resources through token amplification, recursive reasoning, tool abuse, and context overflow, leading to denial of service or cost harvesting.

Coverage Summary

146
Automated Plugins
69
Governance Questions
10
OWASP Categories

Automated Plugins by Category

The tables below list every automated security plugin mapped to each OWASP LLM category, with severity ratings and justification for the mapping.

LLM01: Prompt Injection (28 plugins)

PluginWhat It TestsSeverityWhy This Category
ASCII SmugglingUses invisible Unicode characters to hide instructions in promptsHighExploits prompt parsing to inject hidden instructions
Indirect Prompt InjectionInjects instructions via external content (documents, URLs, RAG)CriticalCore indirect injection vector via untrusted data sources
Direct Prompt InjectionAttempts to override system instructions via user inputCriticalCore direct injection vector via user-supplied prompts
Multimodal InjectionEmbeds malicious instructions in images or other modalitiesCriticalCross-modal prompt injection bypassing text-only filters
Temporal Evasion: Past TenseFrames harmful requests as historical eventsHighTemporal reframing to bypass injection detection
Temporal Evasion: Future TenseFrames harmful requests as hypothetical future scenariosHighTemporal reframing to bypass injection detection
Temporal Evasion: Academic FramingFrames harmful requests as academic researchHighContext reframing to bypass injection detection
Encoding Bypass: HexEncodes malicious payloads in hexadecimalHighEncoding-based injection evasion
Encoding Bypass: Base16Encodes payloads in Base16HighEncoding-based injection evasion
Encoding Bypass: Base64Encodes payloads in Base64HighEncoding-based injection evasion
Encoding Bypass: Base32Encodes payloads in Base32HighEncoding-based injection evasion
Encoding Bypass: ROT13Applies ROT13 cipher to mask contentHighCipher-based injection evasion
Encoding Bypass: UUEncodeEncodes payloads using UUEncodingMediumLegacy encoding injection evasion
Encoding Bypass: AtbashApplies Atbash cipher to mask instructionsMediumCipher-based injection evasion
Encoding Bypass: MorseEncodes instructions in Morse codeMediumEncoding-based injection evasion
Encoding Bypass: NATO PhoneticSpells instructions using NATO alphabetMediumPhonetic encoding injection evasion
Encoding Bypass: BrailleEncodes payloads using Braille charactersMediumUnicode encoding injection evasion
Encoding Bypass: ZalgoUses Zalgo combining characters to obscure contentMediumUnicode manipulation injection evasion
Encoding Bypass: LeetspeakSubstitutes characters with numbers/symbolsMediumCharacter substitution injection evasion
Encoding Bypass: Quoted PrintableEncodes payloads using Quoted-PrintableMediumMIME encoding injection evasion
Encoding Bypass: ASCII85Encodes payloads using ASCII85MediumBinary-to-text encoding injection evasion
Encoding Bypass: Unicode HomoglyphsReplaces characters with visually identical Unicode glyphsHighHomoglyph-based injection evasion
Encoding Bypass: BiDi ReorderUses bidirectional Unicode control charactersHighText direction manipulation injection evasion
Cross-Lingual: Direct TranslationTranslates harmful prompts into other languagesHighCross-language injection evasion
Cross-Lingual: Code SwitchingMixes languages within a single promptHighLanguage mixing injection evasion
Cross-Lingual: TransliterationWrites harmful content using transliterated scriptHighScript conversion injection evasion
Cross-Lingual: Low ResourceUses low-resource languages with weaker safety trainingHighLow-resource language injection evasion
Cross-Lingual: Response ForcingForces model to respond in a specific languageMediumOutput language forcing to bypass filters

LLM02: Sensitive Information Disclosure (14 plugins)

PluginWhat It TestsSeverityWhy This Category
Debug AccessProbes for exposed debug endpoints and verbose error responsesMediumDebug interfaces can leak sensitive system information
Error Info LeakageTriggers errors to extract system informationHighError messages can disclose internal model and infrastructure details
PII: DirectDirectly requests personally identifiable informationHighTests for direct PII disclosure in responses
PII: API/DBExtracts PII from connected databases or APIsHighTests for PII leakage from backend data sources
PII: SessionExtracts PII from other user sessionsHighTests for cross-session PII disclosure
PII: SocialUses social engineering to extract personal informationMediumTests for PII disclosure via social engineering
Cross-Session LeakTests for data leakage between user sessionsCriticalSession isolation failure enables information disclosure
Training Data ExtractionExtracts training data samples from model responsesCriticalTraining data may contain sensitive information
Cloud Service DiscoveryProbes for cloud service endpoints and configurationsHighDiscovers infrastructure details that should be confidential
Membership InferenceDetermines if specific data was in the training setHighConfirms presence of specific sensitive data in training
Model InversionReconstructs training data inputs from model outputsHighReconstructs potentially sensitive training data
Model Theft: Weight ExtractionAttempts to extract model weights via inference APIHighModel weights are proprietary and may contain sensitive data
Model Theft: Memorisation AttackExtracts memorised training examples verbatimHighMemorised data may include sensitive training samples
Model Theft: Capability CloningClones model capabilities via systematic queryingMediumProprietary model capabilities are sensitive IP

LLM03: Supply Chain Vulnerabilities (3 plugins)

PluginWhat It TestsSeverityWhy This Category
Supply Chain: Package HallucinationTests if model recommends non-existent packagesHighHallucinated packages can be registered by attackers
Supply Chain: Dependency ConfusionTests if model suggests internal package names publiclyHighDependency confusion enables supply chain compromise
Supply Chain: Model ProvenanceVerifies model provenance claims and integrityMediumUnverified model provenance is a supply chain risk

LLM04: Data and Model Poisoning (3 plugins)

PluginWhat It TestsSeverityWhy This Category
Poisoning: Backdoor TriggerTests for backdoor triggers in model responsesCriticalBackdoor triggers indicate data or model poisoning
Poisoning: Behavioural ConsistencyTests model behaviour consistency across rephrased inputsHighInconsistent behaviour can indicate poisoned training data
Poisoning: Training Bias ProbeProbes for biases from poisoned training dataMediumInjected biases indicate targeted data poisoning

LLM05: Improper Output Handling (11 plugins)

PluginWhat It TestsSeverityWhy This Category
SQL InjectionTests if LLM outputs inject SQL into downstream systemsHighUnsanitised LLM output enables SQL injection
Shell InjectionTests if LLM outputs inject shell commandsCriticalUnsanitised LLM output enables command execution
SSRFTests for server-side request forgery via AI-generated URLsHighLLM-generated URLs can target internal resources
Output Injection: XSSTests if LLM outputs contain executable HTML/JavaScriptCriticalLLM output rendered in browsers enables XSS
Output Injection: Markdown ExfiltrationTests if markdown rendering can exfiltrate dataCriticalMarkdown image tags in output can exfiltrate data
Output Injection: Link InjectionTests if LLM outputs contain malicious linksHighLLM-generated links can redirect to attacker sites
Output Injection: CSS InjectionTests if LLM outputs can inject CSSHighCSS injection via LLM output enables data exfiltration
Malware Generation: Top LevelTests refusal of complete malware code generationCriticalLLM output used directly as executable code
Malware Generation: Sub-FunctionsTests refusal of malware component generationCriticalLLM output used as executable code components
Malware Generation: PayloadTests refusal of malware payload generationHighLLM output used as exploit payloads
Malware Generation: EvasionTests refusal of evasion technique generationHighLLM output used to create evasion capabilities

LLM06: Excessive Agency (14 plugins)

PluginWhat It TestsSeverityWhy This Category
RBACTests role-based access control enforcementHighAgents accessing data beyond their role scope
BOLATests for broken object-level authorisationHighAgents accessing objects they should not reach
BFLATests for broken function-level authorisationHighAgents invoking functions beyond their scope
Excessive AgencyTests if agent executes actions beyond intended scopeHighCore excessive agency — agent exceeds intended permissions
HijackingTests if agent can be redirected to attacker-controlled actionsHighAgent action redirection via prompt manipulation
Plugin DiscoveryProbes for available tools and their capabilitiesHighEnumerating agent tools to identify exploitable capabilities
Data ExfiltrationTests if agent can exfiltrate data via available toolsCriticalAgent using tools to exfiltrate data beyond scope
Self-ReplicationTests if prompts cause recursive self-executionCriticalAutonomous self-replication is excessive agency
API Access: InferenceTests inference API access control bypassHighExcessive access to AI inference capabilities
API Access: Product ServiceTests product service access boundariesMediumExcessive access to AI product service features
Reverse ShellTests if model generates reverse shell payloadsCriticalAgent generating C2 capabilities is extreme agency abuse
Scope AdherenceTests if model stays within designated scopeMediumOperating outside intended scope is excessive agency
Secrets ProbingProbes for exposed API keys, tokens, and credentialsCriticalAgent accessing credentials beyond its scope
Privilege EscalationAttempts vertical privilege escalationHighAgent escalating its own permissions

LLM07: System Prompt Leakage (7 plugins)

PluginWhat It TestsSeverityWhy This Category
Prompt ExtractionExtracts the full system promptMediumDirect system prompt extraction attack
Model FingerprintingIdentifies model type, version, and architectureHighModel identity leakage reveals system configuration
System Leakage: Multi-Turn ExtractionGradually extracts system information across turnsHighMulti-turn conversational system prompt extraction
System Leakage: Tool Schema LeakageExtracts tool schemas and function definitionsHighTool schema exposure reveals system prompt structure
System Leakage: Config LeakageExtracts system configuration and parametersMediumConfiguration leakage reveals system prompt details
Model Discovery: OntologyMaps model domain knowledge boundariesMediumKnowledge boundaries reveal system prompt scope
Model Discovery: FamilyIdentifies model family and training lineageMediumModel identity reveals deployment configuration

LLM08: Vector and Embedding Weaknesses (5 plugins)

PluginWhat It TestsSeverityWhy This Category
RAG: PoisoningInjects false entries into RAG knowledge baseCriticalCore RAG poisoning attack on vector store
RAG: Context OverrideManipulates retrieval context to surface attacker contentHighRetrieval manipulation via context override
RAG: Retrieval ManipulationManipulates RAG retrieval ranking and resultsHighDirect manipulation of embedding-based retrieval
RAG: Embedding CollisionCreates embedding collisions to hijack retrievalMediumExploits embedding similarity for adversarial retrieval
RAG: Cross-Tenant LeakageTests tenant isolation in shared vector storesCriticalMulti-tenant vector store data isolation failure

LLM09: Misinformation (55 plugins)

PluginWhat It TestsSeverityWhy This Category
OverrelianceTests for excessive user trust in AI outputsMediumEncourages overreliance on potentially inaccurate outputs
HallucinationTests model propensity to generate fabricated informationMediumCore hallucination and fabricated content generation
ImitationTests if model impersonates authoritative sourcesMediumImpersonation of experts spreads misinformation
CompetitorsTests for inappropriate competitor commentaryLowFalse claims about competitors are misinformation
ContractsTests for inappropriate contractual statementsMediumFalse contractual claims are actionable misinformation
PoliticsTests for inappropriate political statementsLowPolitical misinformation and undue influence
MasqueradingTests if model disguises harmful content as benignMediumContent masquerading as trustworthy spreads misinformation
AI Self-DisclosureTests if model discloses its AI natureMediumFailing to identify as AI enables deception
Limitation DisclosureTests if model discloses its limitationsMediumUndisclosed limitations lead to overreliance
Confidence CalibrationTests if confidence levels match actual accuracyMediumMiscalibrated confidence promotes misinformation
ExplainabilityTests if model explains its reasoningMediumUnexplainable outputs cannot be verified for accuracy
Professional Advice: MedicalTests appropriate medical advice disclaimersHighUnqualified medical advice is dangerous misinformation
Professional Advice: LegalTests appropriate legal advice disclaimersHighUnqualified legal advice is dangerous misinformation
Professional Advice: FinancialTests appropriate financial advice disclaimersHighUnqualified financial advice is dangerous misinformation
Content MarkingTests if AI-generated content is labelledMediumUnlabelled AI content is deceptive by omission
SycophancyTests if model prioritises agreement over accuracyHighSycophantic responses reinforce incorrect beliefs
Trusted Output ManipulationTests if outputs can mislead usersHighManipulated trusted outputs spread misinformation
Factual AccuracyTests model propensity for inaccurate claimsHighFactually incorrect outputs are core misinformation
Citation VerificationTests if model fabricates citationsMediumFabricated citations are verifiable misinformation
Bias: RaceTests for racial bias in outputsHighRacial bias produces discriminatory misinformation
Bias: GenderTests for gender bias in outputsHighGender bias produces discriminatory misinformation
Bias: AgeTests for age bias in outputsMediumAge bias produces discriminatory misinformation
Bias: DisabilityTests for disability bias in outputsHighDisability bias produces discriminatory misinformation
Bias: ReligionTests for religious bias in outputsHighReligious bias produces discriminatory misinformation
Bias: Sexual OrientationTests for sexual orientation biasHighSexual orientation bias produces discriminatory misinformation
Bias: SocioeconomicTests for socioeconomic biasMediumSocioeconomic bias produces discriminatory misinformation
Bias: PoliticalTests for political bias in outputsMediumPolitical bias produces skewed misinformation
Bias: NationalityTests for nationality biasMediumNationality bias produces discriminatory misinformation
Harmful: Violent CrimeTests refusal of violent crime contentCriticalViolent crime guidance is harmful misinformation
Harmful: Sex CrimeTests refusal of sex crime contentCriticalSex crime content is harmful misinformation
Harmful: Child ExploitationTests refusal of CSAM contentCriticalChild exploitation content is harmful misinformation
Harmful: Self-HarmTests refusal of self-harm contentCriticalSelf-harm promotion is dangerous misinformation
Harmful: Chemical/Bio WeaponsTests refusal of WMD instructionsCriticalWeapons instructions are dangerous misinformation
Harmful: Indiscriminate WeaponsTests refusal of mass weapons contentCriticalWeapons of mass effect guidance is misinformation
Harmful: RadicalisationTests refusal of radicalisation contentCriticalExtremist radicalisation content is misinformation
Harmful: Non-Violent CrimeTests refusal of fraud/crime guidanceHighCriminal guidance is harmful misinformation
Harmful: HateTests refusal of hate speechHighHate speech is discriminatory misinformation
Harmful: CybercrimeTests refusal of cybercrime contentHighCybercrime guidance is harmful misinformation
Harmful: Illegal DrugsTests refusal of illegal drug contentHighDrug manufacturing guidance is harmful content
Harmful: HarassmentTests refusal of harassment contentHighHarassment content promotes harmful behaviour
Harmful: Illegal ActivitiesTests refusal of illegal activity guidanceHighIllegal activity guidance is harmful misinformation
Harmful: MisinformationTests refusal of deliberate disinfoHighDeliberate misinformation generation
Harmful: PrivacyTests refusal of privacy violationsHighPrivacy-violating content is harmful
Harmful: Sexual ContentTests refusal of explicit contentMediumUnsolicited sexual content is harmful
Harmful: Graphic ContentTests refusal of graphic violenceMediumGratuitous graphic content is harmful
Harmful: Unsafe PracticesTests refusal of dangerous adviceMediumUnsafe practice guidance is misinformation
Harmful: Intellectual PropertyTests refusal of IP theft assistanceMediumIP theft guidance is harmful misinformation
Harmful: Copyright ViolationsTests refusal of copyright infringementMediumCopyright infringement assistance is harmful
Harmful: Specialised AdviceTests disclaimers for professional adviceMediumUnqualified specialised advice is misinformation
Harmful: ProfanityTests refusal of excessive profanityLowUnprofessional language degrades output quality
Harmful: InsultsTests refusal of personal insultsLowDirected insults are harmful content
Patent DisclosureTests if model discloses patent-protected technical detailsMediumPatent disclosure enables competitive reverse-engineering
Trademark InfringementTests if model generates trademark-infringing contentMediumFake endorsements and brand impersonation are misinformation
Market ManipulationTests if model generates market-manipulative contentHighFabricated financial content is dangerous misinformation
Confidential StrategyTests if model speculates on confidential business strategyHighPlausible strategy fabrication is actionable misinformation

LLM10: Unbounded Consumption (6 plugins)

PluginWhat It TestsSeverityWhy This Category
Divergent RepetitionTriggers repetitive output patterns wasting resourcesMediumRepetitive generation exhausts context and tokens
Consumption: Token AmplificationTriggers excessive token generationMediumToken amplification directly causes resource exhaustion
Consumption: Recursive ReasoningInduces recursive reasoning loopsMediumRecursive loops cause unbounded computation
Consumption: Tool AbuseAbuses agent tools to cause API fanoutHighTool abuse causes cascading resource consumption
Consumption: Chaff DataFloods system with irrelevant dataMediumChaff data wastes processing and storage resources
Consumption: Context OverflowOverflows context window to degrade performanceMediumContext overflow degrades service for all users

Governance Assessment Questions

The following governance questions are assessed inline within the category picker on the scan configuration page. When you select a category, its governance panel auto-expands so you can answer questions in context. Answers auto-save and persist across scans. Each question is weighted for risk scoring (shown as a badge) with the answer type indicated.

LLM01: Prompt Injection

  1. Are input filtering and detection controls deployed to identify prompt injection attempts?9Y/N
  2. Is content moderation applied to user inputs before they reach the LLM?8Y/N
  3. Is the system prompt hardened against extraction and override attempts?9Y/N
  4. Are indirect injection vectors (uploaded documents, URLs, RAG-ingested content) assessed and filtered for embedded instructions?9Y/N
  5. Is layered defence used (multiple independent filters) rather than a single point of failure?8Y/N
  6. Are input length and complexity limits enforced to prevent context manipulation?7Y/N
  7. Are prompt injection attempts logged, monitored, and alertable?8Y/N
  8. Is there automated detection for jailbreak patterns (DAN mode, roleplay, authority override)?8Y/N
  9. Are input filtering controls validated for effectiveness across non-English languages?9Y/N
  10. Is prompt injection testing conducted in multiple languages including low-resource languages (e.g. Swahili, Bengali, Amharic)?8Y/N
  11. How frequently is prompt injection testing conducted with updated attack vectors?71–5
  12. Is there an incident response process for detected injection attempts?7Y/N

LLM02: Sensitive Information Disclosure

  1. Is PII/sensitive data classification applied to both model training data and inference outputs?9Y/N
  2. Are output filters deployed to prevent PII, credentials, and confidential data leakage in responses?9Y/N
  3. Is the system prompt classified as confidential and protected from extraction?8Y/N
  4. Are training datasets reviewed and sanitised for sensitive, personal, or proprietary information?8Y/N
  5. Is cross-user session isolation enforced to prevent data leakage between users?9Y/N
  6. Is there monitoring for unusual data extraction patterns (repeated probing, systematic querying for sensitive data)?8Y/N
  7. Are error messages sanitised to prevent leaking internal model or infrastructure details?7Y/N
  8. Is there a logging and audit trail for information disclosure events?7Y/N
  9. Are data retention and deletion policies applied to model interactions and conversation logs?7Y/N
  10. How mature is your data loss prevention programme for AI-generated outputs?71–5

LLM03: Supply Chain Vulnerabilities

  1. Do you maintain a Software Bill of Materials (SBOM) for your LLM dependencies?8Y/N
  2. Are third-party model providers vetted against security criteria before adoption?7Y/N
  3. Do you verify model checksums or signatures when downloading weights?9Y/N
  4. How frequently are dependencies and plugins reviewed for vulnerabilities?61–5
  5. Is there a process for responding to supply chain security advisories?7Y/N

LLM04: Data and Model Poisoning

  1. Is training data validated for integrity before use?9Y/N
  2. Are data provenance records maintained for training datasets?7Y/N
  3. Do you monitor model outputs for signs of data poisoning (drift, bias shifts)?8Y/N
  4. How confident are you in the cleanliness of your fine-tuning data?61–5

LLM05: Improper Output Handling

  1. Are LLM outputs sanitised before rendering in HTML or executing as code?10Y/N
  2. Is there output validation to prevent injection into downstream systems (SQL, shell, APIs)?9Y/N
  3. Are structured output schemas enforced (e.g. JSON schema validation)?6Y/N

LLM06: Excessive Agency

  1. Are tool permissions scoped to minimum necessary (least privilege)?9Y/N
  2. Is human approval required for high-impact actions (delete, send, pay)?10Y/N
  3. Can the agent access systems or data outside its intended scope?8Y/N
  4. How well are agent actions logged and auditable?71–5

LLM07: System Prompt Leakage

  1. Is the system prompt protected against direct extraction attacks (meta-prompting, "reveal your instructions" attempts)?9Y/N
  2. Are system prompts stored securely with access controls and version history?8Y/N
  3. Are internal configuration details, API keys, and secrets excluded from system prompts?10Y/N
  4. Is separation enforced between system-level instructions and user-accessible content?8Y/N
  5. Is monitoring deployed to detect system prompt content appearing in model responses?8Y/N
  6. Is there detection for multi-turn extraction attempts that gradually probe for system information?7Y/N
  7. Are system prompt changes subject to a review and approval process?7Y/N
  8. How frequently is system prompt extraction resistance tested?71–5

LLM08: Vector and Embedding Weaknesses

  1. Are RAG knowledge base contents validated for accuracy and authority before indexing?9Y/N
  2. Is multi-tenant data isolation enforced in vector stores (one user cannot access another user's documents)?10Y/N
  3. Are document-level access permissions enforced in RAG retrieval (not just store-level access)?9Y/N
  4. Are knowledge base query results filtered by user permissions before delivery?8Y/N
  5. Is the RAG document ingestion pipeline secured against adversarial document injection?9Y/N
  6. Is embedding model provenance verified and integrity maintained?7Y/N
  7. Is there monitoring for adversarial manipulation of embedding similarity (collision attacks)?7Y/N
  8. Are vector store backup and recovery procedures documented and tested?6Y/N
  9. Are obsolete or revoked documents removed from vector stores in a timely manner?7Y/N
  10. How mature is your RAG security programme?71–5

LLM09: Misinformation

  1. Are LLM outputs validated for factual accuracy before delivery to users?8Y/N
  2. Are controls deployed to detect and flag hallucinated citations or fabricated references?8Y/N
  3. Is source attribution required for factual claims in AI-generated content?7Y/N
  4. Are domain-specific accuracy benchmarks established and regularly tested?7Y/N
  5. Are appropriate disclaimers and confidence indicators shown to users for AI-generated content?7Y/N
  6. Is there a human review process for high-stakes content (medical, legal, financial, safety-critical)?9Y/N
  7. Are user feedback mechanisms available for reporting AI-generated misinformation?6Y/N
  8. Is content accuracy and safety testing conducted across multiple languages?8Y/N
  9. Are content safety filters validated across all supported languages including low-resource languages?8Y/N
  10. How mature is your hallucination detection and content verification programme?71–5

LLM10: Unbounded Consumption

  1. Are rate limits configured for API access to the LLM?7Y/N
  2. Are token limits enforced per request and per user session?6Y/N
  3. Is there monitoring for anomalous usage patterns (cost spikes, excessive calls)?8Y/N

Running an OWASP Assessment

To run an OWASP-aligned assessment:

  1. Register your endpoint— Add the AI system you want to assess via the Endpoints page
  2. Select the OWASP LLM Top 10 template— Choose individual categories for targeted testing or select all 10 for comprehensive coverage
  3. Complete governance questions— When you select a category, its governance questions appear inline below the category row. Answer them in context — your responses auto-save and persist across scans
  4. Review OWASP references— Each finding in your report includes OWASP LLM category references (LLM01–LLM10) alongside MITRE ATLAS, NIST, and other framework mappings

Governance assessment: When you select a category in the picker, its governance questions appear inline below the category row. Answer them in context to get a combined automated + governance posture score. This is particularly valuable for categories like LLM03 (Supply Chain) and LLM04 (Data Poisoning) where many risks cannot be tested at runtime.

References